Earlier this year, the IRS revealed that hundreds of organizations were (successfully) hit a spear-phishing attack. The target? Employee tax documents that included social security numbers, addresses, and wage information.
This attack didn’t just hit tiny organizations, either. There were several major corporations that fell prey to it, including Snapchat, GCI, and Mansueto Ventures. Yeah – it’s bad.
“A new group of phishers is trying a new tactic: sending out emails that appear to be in-house – often from the CEO or CFO – asking HR personnel for the W-2 information of employees companywide,” explains Douglas Bonderud of Security Intelligence. “Since the email looks official and the request seems reasonable, it’s no surprise that several businesses have already been victimized.”
Likely as not, most of the organizations hit by the attack probably had pretty good security, from a network and device level. They authenticated all their users, had a strong firewall, regularly monitored for suspicious activity and scanned for malware, encrypted their hard drives…
And the attackers knew that.
“If you are a target of convenience, understand that hackers are more than happy to take the path of least resistance,” writes Security Week’s Jim Ivers. “This is why protecting against obvious, well-known attack vectors is critical.”
One of the best-known attack vectors isn’t software or hardware based. It’s not a bug in your firewall, a lack of file security, or a misconfigured device. It’s your employees.
People make mistakes. That’s a fact of life. And after a long day of work, if someone receives an email from an individual who – for all intents and purposes – appears to be the CEO or a higher-level executive in their company?
Their guard will be down. There’s a good chance that rather than fact-checking and ensuring the person’s actually who they say they are, the employee will simply acquiesce and send out sensitive data.
The chances of this happening increase exponentially if the employee doesn’t understand phishing.
This is one of the many reasons why an employee education program is essential. By teaching your staff to recognize the warning signs that they’ve been targeted by a phishing scam – and establishing a set of best practices for if and when they are – you significantly reduce the chance that they’ll fall prey to a cyber-criminal.
While you should still incorporate a few other measures against employee error (such as file-level security) a mandatory security training program is a must in today’s threat landscape. Your employees are freer and more empowered than they’ve ever been. While on the one hand, that means they’re working more efficiently and effectively, on the other, it means that hackers who want to target your business through a hapless staffer have a wealth of targets.
And you need to do everything in your power to stonewall them.